Database Users

[ROOT] Stock ICS Leak One-Click Root Tool

Hi all!
First off, I'm new to xda Developers so please excuse me if this is in the wrong forum! I thought I'd post information about a tool I wrote here which roots stock 4.0.3 leak on the A500, A501 and assumingly the A200 too. Its literally one click - just enable USB debugging. "ICS Root" also installs, optionally, FaceLock and Trebuchet (although FaceLock doesn't want to work. It lets you set it up though =P)
Since version 5.0.1 this also now works with the new 0.022.00 leak!
The full post is over at TegraOwners: http://forum.tegraowners.com/viewtopic.php?f=30&t=350
The only real system requirements are Windows (with .Net Framework 4) and an Iconia on the stock 4.0.3 leak. I hope somebody finds this useful its been tested by myself and a couple of TegraOwners users and it works well.
In terms of the technique used, it uses the great Jay Freeman's mempodroid exploit to gain root at which point it mounts /system rw and installs su, busybox and Superuser.apk so no real surprises there. Installing Trebuchet adds that apk to /system/app and installing FaceLock installs the apk to /system/app before installing the pittpatt folder to the flexrom (mounted as /system/vendor). I plan to open source it when all the requested features have been implemented and the code has been cleaned up.
Thanks!
~blackthund3r
EDIT 14/05/2012: ICS Root 7 is out enjoy!
Sent from my A500 using Tapatalk

cwm version?
why would it not work with cwm version?

With this tool does system remain writeable after rooting?

What about flashing CWM with acer recovery installer once rooted? I guess it would screw the bootloader...

lowsum said:
What about flashing CWM with acer recovery installer once rooted? I guess it would screw the bootloader...
Click to expand...
Click to collapse
If you are on the cwm with the HC boot loader it should work as Its Magic will be run..
if you are on the new boot loader as in the full non modded leak.. It will give you secure boot error ..
The new boot loader Blocks its magic.

Thanks
Hey this worked easy. I had to re-install USB drivers and make sure I had the latest from Google. Other then that, hit the button, wait about 1.5 minutes, and it rebooted! No problems thus far! Thanks Again!

JeanBubu said:
why would it not work with cwm version?
Click to expand...
Click to collapse
It would but the cwm one, afaik, is prerooted?
Sent from my A500 using Tapatalk

root doesnt work like its supposed to. i know its only half root due to the bootloader, but terminal emulator flat out says i'm not rooted after this despite sixasis working and titanium backup/root checker both saying i have root and busybox. i'm going to post this on TO as well for you incase you dont check here often.

nifterific said:
root doesnt work like its supposed to. i know its only half root due to the bootloader, but terminal emulator flat out says i'm not rooted after this despite sixasis working and titanium backup/root checker both saying i have root and busybox. i'm going to post this on TO as well for you incase you dont check here often.
Click to expand...
Click to collapse
That's storage cos terminal works for me and running su in an adb shell works great too.
Code:
[email protected]:/ $ export PATH=/data/local/bin:$PATH
[email protected]:/ $ su
# exit
[email protected]:/ $ su
#
Sent from my A500 using Tapatalk

SteamBishop said:
Hey this worked easy. I had to re-install USB drivers and make sure I had the latest from Google. Other then that, hit the button, wait about 1.5 minutes, and it rebooted! No problems thus far! Thanks Again!
Click to expand...
Click to collapse
You're welcome and I'm glad it worked!
Sent from my A500 using Tapatalk

After reading the other post, I have found that I cannot write to the system directory from the device itself. The folder attributes indicate that it is set to write, however File Explorer HD will not let me. I have tried to create a folder in the /system and it will not accept the addition. The strange thing is that Root Check says it is rooted, File Explorer HD accepts putting it into Root Explore, but that is it. It is odd. I will try to reapply the Root to see if that makes a difference.

SteamBishop said:
After reading the other post, I have found that I cannot write to the system directory from the device itself. The folder attributes indicate that it is set to write, however File Explorer HD will not let me. I have tried to create a folder in the /system and it will not accept the addition. The strange thing is that Root Check says it is rooted, File Explorer HD accepts putting it into Root Explore, but that is it. It is odd. I will try to reapply the Root to see if that makes a difference.
Click to expand...
Click to collapse
Please, read the op before bringing this up. This method is for half root, its the only way possible right now on stock leak ics. There is a special script you need to use to mpunt system. You can find it in the stock leak thread, run it in terminal or use rom toolbox and set it as a script to run at boot because rebooting loses write privileges.

nifterific said:
Please, read the op before bringing this up. This method is for half root, its the only way possible right now on stock leak ics. There is a special script you need to use to mpunt system. You can find it in the stock leak thread, run it in terminal or use rom toolbox and set it as a script to run at boot because rebooting loses write privileges.
Click to expand...
Click to collapse
Sorry for offending you and whoever else it did. Thank you for pointing that script out in that post. My intent was to offer a second comment to your assessment..

nifterific said:
Please, read the op before bringing this up. This method is for half root, its the only way possible right now on stock leak ics. There is a special script you need to use to mpunt system. You can find it in the stock leak thread, run it in terminal or use rom toolbox and set it as a script to run at boot because rebooting loses write privileges.
Click to expand...
Click to collapse
I have a better script which I'll be releasing as an update to the root app this morning hopefully. It'll be a terminal command to remount rw.
Sent from my A500 using Tapatalk

New update out!!
blackthund3r said:
I have a better script which I'll be releasing as an update to the root app this morning hopefully. It'll be a terminal command to remount rw.
Sent from my A500 using Tapatalk
Click to expand...
Click to collapse
Version 3 came out this morning
It features some bug fixes as well as a completely new remount menu which mounts /system rw properly on the fly. Tested with a busybox installer app
Enjoy!

Thanks for your tool blackthund3r !
I tried it with the new leak from this morning and it doesn't seem to work anymore
Edit :
Just to be a little more specific, the app says the process was OK and state that the tablet is rooted but the tablet doesn't reboot by itseld and su is not installed. I tried to install su manually but it's unable to find a previous su package on the system.

paugustin said:
Thanks for your tool blackthund3r !
I tried it with the new leak from this morning and it doesn't seem to work anymore
Edit :
Just to be a little more specific, the app says the process was OK and state that the tablet is rooted but the tablet doesn't reboot by itseld and su is not installed. I tried to install su manually but it's unable to find a previous su package on the system.
Click to expand...
Click to collapse
ah okay it appears a completely new leak has been released. It is possible that the mempodroid exploit has been patched up. I'm gonna look into it soon. I can't much tonight - I have school work. I'll see what can be done and what the differences between leaks are.
Sent from my A500 using Tapatalk
EDIT: mempodroid hasn't been patched See ICS Root v3.1

Hi blackthund3r
Thanks for the update 3.1 but could you please fix the problem on your hosting website? clicking on this file send to an error warning.
The other files can be downloaded though.

can someone post a mirror to the 3.1 version? current link is not working.
can somebody also confirm, if i root with this tool, i will be able to reinstall my clockworkmod recovery through 'acer recovery installer' and flash any other cwm rom? or do i have to downgrade to honeycomb 3.01, install iconiaroot for honeycomb and then acer recovery installer?

Gersma,
I'll be able to answer to your question as soon as I'll be able to download this tool and test it.

[Q] Rooting official 2.3.5 wirelessly

Hello!
How can one root official 2.3.5 rom without connecting to usb and adb?
The goal is to install custom ICS on U8800 that has no usb port - completely broken and even not charging phone. No warranty and repair cost is close to actual phone cost. So repairing is not an option.
Wireless adb app requires root first - so it is not an option for me also.
Any help is appreciated - I need ISC because I need ipsec vpn which is npt available in gingerbread.
I am ready to test any operation you suggest - I don't fear to brick the phone, need no backups.

It's impossible. I have one USB broken u8800 and that's why I use cm7 (.32) on it.
Sent from my U8800 using Tapatalk 2

Qqqxxxzzz said:
It's impossible. I have one USB broken u8800 and that's why I use cm7 (.32) on it.
Sent from my U8800 using Tapatalk 2
Click to expand...
Click to collapse
There is nothing impossible I believe
Maybe we could find the trick - gingerbreak works on some roms - another fine exploit maybe.
I don't know - worth a try I think.

tranced1 I might have 1 possible solution for you. I've rooted my 2.3.5 some time ago and I've done a backup of boot.img.
I remember with froyo we could root it with boot.img "rooted". I bet this won't work on 2.3.5, but who knows right?
If you want to give it a try, I upload that boot.img for you.
EDIT: darn! Totally forgot you can't access bootloader directory without root & damaged usb port
Can't remember another way out... sorry

tranced1 said:
There is nothing impossible I believe
Maybe we could find the trick - gingerbreak works on some roms - another fine exploit maybe.
I don't know - worth a try I think.
Click to expand...
Click to collapse
Gingerbreak and z4root doesn't work. Only solution is build your own exploit.
Sent from my U8800 using Tapatalk 2

Is there any way to flash zip from stock recovery? I saw this root method for some samsung phones.
Does anybody know how to compile such .zip file?

tranced1 said:
Is there any way to flash zip from stock recovery? I saw this root method for some samsung phones.
Does anybody know how to compile such .zip file?
Click to expand...
Click to collapse
compiling zip is easy. Your problem is that we don't know how to sign it correctly.
Sent from my GT-P1000 using Tapatalk 2

I believe that you can use terminal emulator and zergrush exploit to root the phone.
The automatic root methods basicaly push the needed files on /data/local change permissions etc... All can be done with linux commands which are available from a terminal emulator. So I don't think that you need the usb cable to root the device. You can try investigate the runme.bat file from doomlord's root method and give the commands manually after you have put the files from files directory on sdcard.

dancer_69 said:
I believe that you can use terminal emulator and zergrush exploit to root the phone.
The automatic root methods basicaly push the needed files on /data/local change permissions etc... All can be done with linux commands which are available from a terminal emulator. So I don't think that you need the usb cable to root the device. You can try investigate the runme.bat file from doomlord's root method and give the commands manually after you have put the files from files directory on sdcard.
Click to expand...
Click to collapse
adb can access the phone as root user - from terminal file system is read-only, so even first step permission denied

Yes, you have right about that.
But, check this thread:
http://forum.xda-developers.com/showthread.php?t=1716068
the last post.
EDIT:
After reading the discription on first post of gingerbreak, I had another Idea.
Seems that gingerbreak uses sd card to temporary store the necessary for root files. So, maybe you can replace these files(and especially the exploit) whith those of doomlord's root app, before you press the root button, so to use the working zergrush exploit.

This is the B528 root bat script:
http://pastebin.ca/raw/2163499
@adb wait-for-device
@echo --- DEVICE FOUND
@echo --- reboot to bootloader
@adb reboot-bootloader
@echo --- flash the rooted bootimage
@fastboot boot boot.img
@echo --- reboot to nomal mode
@fastboot reboot
@echo --- wait for adb connect
@adb wait-for-device
@echo --- DEVICE FOUND
@adb remount -t yaffs2 /dev/block/mtdblock3 /system
Click to expand...
Click to collapse
You're problem is in red... you have to flash the exploited boot image. The rest is just installing busybox, su and SuperUser.apk.
You have the stock recovery which allows you to flash .zip files, but they have to be signed correctly and I don't think that's possible.

VuDuCuRSe said:
This is the B528 root bat script:
http://pastebin.ca/raw/2163499
You're problem is in red... you have to flash the exploited boot image. The rest is just installing busybox, su and SuperUser.apk.
You have the stock recovery which allows you to flash .zip files, but they have to be signed correctly and I don't think that's possible.
Click to expand...
Click to collapse
To boot a different boot image, you have to use USB, atleast on fastboot.

dancer_69 said:
Yes, you have right about that.
But, check this thread:
http://forum.xda-developers.com/showthread.php?t=1716068
the last post.
EDIT:
After reading the discription on first post of gingerbreak, I had another Idea.
Seems that gingerbreak uses sd card to temporary store the necessary for root files. So, maybe you can replace these files(and especially the exploit) whith those of doomlord's root app, before you press the root button, so to use the working zergrush exploit.
Click to expand...
Click to collapse
Thanks for clues but seems there is no way - I cant execute exploit via ssh - permission denied I cant even chmod it.
Gingerbreak completely not working - no files created on sdcard.

Ι didn't find any other way on net. There are several discussions for this problem but not a solution. I think that the only way is to do it for an app. You can contact with the creator of gingerbreak or z4root to ask for it. Also I'll try to make an app myself, but my android developing knowledge is very basic, so don't count too much on this. If I have some kind of success I'll contact you via PM.
EDIT:
Try this mod, and if you are lucky...

dancer_69 said:
Ι didn't find any other way on net. There are several discussions for this problem but not a solution. I think that the only way is to do it for an app. You can contact with the creator of gingerbreak or z4root to ask for it. Also I'll try to make an app myself, but my android developing knowledge is very basic, so don't count too much on this. If I have some kind of success I'll contact you via PM.
EDIT:
Try this mod, and if you are lucky...
Click to expand...
Click to collapse
No I am obviously not the lucky one
My android development knowledge is zero, so if you can run zergRush from executable area it will be a very good start.
And I want to thank everybody for your support.

So, it doesn't work?
I just updated the file, so give it another try.
Also, check if you have logcat and usb debuging enabled(is needed for other methods, so maybe needed here too)

dancer_69 said:
So, it doesn't work?
I just updated the file, so give it another try.
Also, check if you have logcat and usb debuging enabled(is needed for other methods, so maybe needed here too)
Click to expand...
Click to collapse
Logcat: Cannot copy boomsh. : Permission Denied

I will revert to first beta now - and will test if it will work

I suppose this logat message is for z4root fail. Unfortunately I don't know what boomsh is. I just decompiled the apk and replaced the exploit, busybox, superuser, and su files with these from doomlord's root files directory.
So, easy solution didn't work. If I have something else I'll let you know.
EDIT:
I get some info about "cannot copy boomsh"
The exploit creates this file when run. This message appears when this file already exists and needed to be deleted from /data/local/tmp.
I checked z4root-mod on my device(which is already rooted and with ICS custom rom), and I get this message too.
The problem is that this file doesn't exist on my device, so I cannot delete it.
---------- Post added at 04:16 PM ---------- Previous post was at 03:17 PM ----------
I read on a forum that these apps(as z4root) run better after a fresh boot. So, install the latest apk(has newer files), reboot the device and run z4root again.

z4root is a froyo root exploit (I think) and seems "dead" for a long time.
Check Chainfire's Gingerbreak: http://forum.xda-developers.com/showthread.php?t=1044765

Arc Android 4.0.4 Build 4.1.b.0.587

Hey all in UK as ever
Finally my Arc has been updated to the above OS
Came as a complete shock to me as I was going to start looking round for a diff phone but now am on ICS am happier
Slight problem
Previously I had Superuser App and Titanium backup installed and removed the bloatware from my service provider. I tried doing this again once the update was completed but Titanium says it cannot get root access and Superuser is not listing it at all and I cannot add it.
Please help

Have you read the relevant 587 rooting threads, as you've obviously lost root access during the update.
Sent from Myushi

XperienceD said:
Have you read the relevant 587 rooting threads, as you've obviously lost root access during the update.
Sent from Myushi
Click to expand...
Click to collapse
Yeh that looks like what has happened
Just tried rooting again and it failed Titanium will not get root access

Nath316 said:
Yeh that looks like what has happened
Just tried rooting again and it failed Titanium will not get root access
Click to expand...
Click to collapse
You've obviously missed a step then, re read whatever guide to root you've used and try again.

You got arc (lt15i)
Just testpoint, boot a kernel, install root with cwm
Sent from my LT15i using xda premium

XperienceD said:
You've obviously missed a step then, re read whatever guide to root you've used and try again.
Click to expand...
Click to collapse
Well it looks like the Doomlord thing failed
busybox: /system/xbin/zcip: Read-only file system
--- pushing SU binary
failed to copy 'files\su' to '/system/bin/su': Read-only file system
--- correcting ownership
Unable to chmod /system/bin/su: No such file or directory
--- correcting permissions
Unable to chmod /system/bin/su: No such file or directory
--- correcting symlinks
rm failed for /system/xbin/su, Read-only file system
link failed Read-only file system
--- pushing Superuser app
failed to copy 'files\Superuser.apk' to '/system/app/./Superuser.apk': Read-only file system
--- cleaning
rm failed for /data/local.prop, No such file or directory
rm failed for /data/local/tmp, Permission denied
failed on '/data/local/tmp.bak' - No such file or directory
--- rebooting
ALL DONE!!!
Click to expand...
Click to collapse
I followed each step

Hi Nath,
If you tried to root with Doomlords root toolkit try using DooMLoRD_v1_Xperia-2011-ICS-ROOT-emu-busybox-su instead found here, near the bottom of first post...
http://forum.xda-developers.com/showthread.php?t=1601038
I struggled for a while but this worked first time..
good luck and stick with it..

Onmehedson said:
Hi Nath,
If you tried to root with Doomlords root toolkit try using DooMLoRD_v1_Xperia-2011-ICS-ROOT-emu-busybox-su instead found here, near the bottom of first post...
http://forum.xda-developers.com/showthread.php?t=1601038
I struggled for a while but this worked first time..
good luck and stick with it..
Click to expand...
Click to collapse
thanks for pointing out but this failed also with a read only system error.
suspect it is the carrier

I`m just a novice at this game but I dont see how the carrier could affect root as you flash generic .587 firmware to begin with...
Have a look at this great video and follow it point by point but use the alternative root kit than the one shown, although I didnt run programmes from command prompt like he suggests..
http://www.youtube.com/watch?v=Rjv71b9QcZE
Sorry if you have already seen it.
Keep trying , you`ll get there in the end..

Onmehedson said:
I`m just a novice at this game but I dont see how the carrier could affect root as you flash generic .587 firmware to begin with...
Have a look at this great video and follow it point by point but use the alternative root kit than the one shown, although I didnt run programmes from command prompt like he suggests..
http://www.youtube.com/watch?v=Rjv71b9QcZE
Sorry if you have already seen it.
Keep trying , you`ll get there in the end..
Click to expand...
Click to collapse
Interesting post here saying that 587 cannot be rooted
http://forum.xda-developers.com/showthread.php?t=2105325
May explain why i am having issues

Quite right , .587 cannot be rooted directly. You have to downgrade by flashing an earlier version kernel.
So its...Flash .587 firmware - FLASH .562 KERNEL ONLY - root with DooMLoRD_v1_Xperia-2011-ICS-ROOT-emu-busybox-su - flash original .587 kernel..
Watch the video , all is explained within it ...

SuperUser Fixed
Nath316 said:
Hey all in UK as ever
Finally my Arc has been updated to the above OS
Came as a complete shock to me as I was going to start looking round for a diff phone but now am on ICS am happier
Slight problem
Previously I had Superuser App and Titanium backup installed and removed the bloatware from my service provider. I tried doing this again once the update was completed but Titanium says it cannot get root access and Superuser is not listing it at all and I cannot add it.
Please help
Click to expand...
Click to collapse
Hi I got it fixed by flashing SuperSU, update it, then go into settings of SuperSU and Install , then look for Swotch to SuperUser, it un install itself, then go to SuperUser and update...
All done

Root Exploit

Hey guys,
I was looking at the newly patched (for 4.4.3) exploit.
It is patched in our .402 firmware but is exploitable in .69.
Update: Exploit is released, see primary thread: http://forum.xda-developers.com/showthread.php?t=2781109
-----------------------------------------------------------------------------------------
With it me and a friend have managed to take out SELinux:
Code:
[email protected]:/data/local/tmp $ getenforce
Permissive
Edit: And now, my device is rooted! Sweet Time to backup TA.
Edit#2
I/sh (12494): I am running as..
I/sh (12494): uid=0(root) gid=0(root) context=u:r:vold:s0
I/sh (12494): Backing up TA..
I/sh (12494): lrwxrwxrwx root root 1970-03-20 09:35 TA -> /dev/block/mmcblk0p1
I/sh (12494): 4096+0 records in
I/sh (12494): 4096+0 records out
I/sh (12494): 2097152 bytes transferred in 0.065 secs (32263876 bytes/sec)
I/sh (12494): Created /data/local/tmp/TA.img -- Checking MD5..
I/sh (12494): 215c7526bb9abea4ae6363c25987bbd0 /dev/block/platform/msm_sdcc.1/by-name/TA
I/SemcPhoneInterfaceManager(12500): QcSemcService is connected.
I/sh (12494): 215c7526bb9abea4ae6363c25987bbd0 /data/local/tmp/TA.img
Click to expand...
Click to collapse

WOW! this is the most exciting news on this forum yet! Do you have a link to a guide for this exploit?
Sent from my MI 2S using Tapatalk

I would really like to make it a simple process. Right now it is *VERY* ugly!
You have to take out selinux and then replace some files (specific to .69) that let you run root commands from a bash file.
Right now it's just a collection of scripts, an apk and a tar.gz. No checks at all to make sure they are being run correctly.
From what I can tell, this method I am using will work for ALL phones using Android 4.4.2 (unpatched) or earlier.
Although it is using Sony files for the exploit for no other reason than I only cared about rooting my device.

Nice. Hope you can get it polished enough to share soon! Maybe ask for donations too. I'm ordering one soon and I would love root without killing my warranty.
Sent from my MI 2S using Tapatalk

SANGER_A2 said:
Nice. Hope you can get it polished enough to share soon! Maybe ask for donations too. I'm ordering one soon and I would love root without killing my warranty.
Click to expand...
Click to collapse
Is this good enough?
https://mega.co.nz/#!zBZVnDTZ!tajRYy0F3_lgYDITHlqj3UTPv3bDiEQBUW-bj6JqMKQ

xsacha said:
Is this good enough?
https://mega.co.nz/#!zBZVnDTZ!tajRYy0F3_lgYDITHlqj3UTPv3bDiEQBUW-bj6JqMKQ
Click to expand...
Click to collapse
Cool. Can't wait to try it out. Will be a while as I'm not ordering the tablet for about a week. I'm fine with linux, but ADB looks like a complete PITA to install on it, plus having to mess around configuring the USB to talk to the tablet. I've used ADB lots on Windows with no issues and will probably run the commands from there instead. I don't quite understand the "&& \" at the end of each adb command. Is that needed if using ADB in windows?
I'm trying to figure out how it all works and I can understand most of what you have done. I assume the exploit.apk gives su. Is this temporary until a reboot or permanent? And does it mean we have to have the app installed permanently or can it be uninstalled afterwards? Then, you copy and make the scripts & binaries executable. But you don't seem to run the scripts? Do the scripts need to be run on the device in a terminal emulator to backup the TA partition and mount the new volume with vold?

Damn, already updated to .402. Is there anyway to go back to .69?
Greato work btw.

star85 said:
Damn, already updated to .402. Is there anyway to go back to .69?
Greato work btw.
Click to expand...
Click to collapse
Yes, just flash .69. I was on .402 as well and found the exploit patched.
SANGER_A2 said:
Cool. Can't wait to try it out. Will be a while as I'm not ordering the tablet for about a week. I'm fine with linux, but ADB looks like a complete PITA to install on it, plus having to mess around configuring the USB to talk to the tablet. I've used ADB lots on Windows with no issues and will probably run the commands from there instead. I don't quite understand the "&& \" at the end of each adb command. Is that needed if using ADB in windows?
I'm trying to figure out how it all works and I can understand most of what you have done. I assume the exploit.apk gives su. Is this temporary until a reboot or permanent? And does it mean we have to have the app installed permanently or can it be uninstalled afterwards? Then, you copy and make the scripts & binaries executable. But you don't seem to run the scripts? Do the scripts need to be run on the device in a terminal emulator to backup the TA partition and mount the new volume with vold?
Click to expand...
Click to collapse
There was absolutely zero configuration on my Linux distro. In Ubuntu, adb comes in the repos. You don't need drivers on Linux because they are detected as usbnet by default. It literally just works out of the box.
The "&& \" is actually for bash. The && only continues if the previous command succeeds. The \ breaks to next line.
On Windows, you'd use a caret (^) instead of a backslash.
The exploit.apk is used to deploy a shared library owned by system because when a system app tries to load its library, it needs to be owned by system and this is the only way I know how to achieve that.
The exploit is all in vdc (a shell command), which allows us to overwrite files anywhere on the system. So in this instance, ServiceMenu is used. Its library is overwritten with one from exploit.apk. The library simply turns off selinux and then runs whatever is in 'log.command' prop which is in this instance, a shell script. In the script it continues on to the root.
Basically: All apps have system libraries but they can't execute system code unless a system app runs it. System user can turn off selinux. Turning off selinux is required to run as root.
Yes, the scripts get run indirectly. You don't run them yourself because you are only a mere shell user. Vold is not used for anything. It's simply the vehicle for running as root.

Sonny, you win the internets. If I had donation money it would go straight to you.

Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?
I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!
Sent from my MI 2S using Tapatalk

SANGER_A2 said:
Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?
I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!
Sent from my MI 2S using Tapatalk
Click to expand...
Click to collapse
Definitely not permanent. Resets on reboot.
I couldn't find anywhere to stick the su binary. /system can't be remounted rw by root. All the other partitions don't let me setuid. If anyone knows where to stick, that would be appreciated.
Afaik unlocking bootloader shouldn't void warranty? Isn't that one of the reasons for TA. When we flash it back, warranty is valid again?

SANGER_A2 said:
Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?
I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!
Click to expand...
Click to collapse
If your distro doesn't have it in the repos just download and install the official Android SDK. There you only install the "platform-tools".

Thank you very much for this, that's really great news!! As soon as I have time and found out how to flash back to .69 I will try it out. Is there a way to donate to you for your work?
Nevertheless if I understood it right, this persists only until a reboot so if I root it and then update back to .402 it will be gone, so there is no way to have root on .402 with locked bootloader?
Or is it possible to root and backup ta, flash .402 restore ta and lock bootloader AND keep root? That would be awesome!
Thanks
Fleckdalm

fleckdalm said:
Thank you very much for this, that's really great news!! As soon as I have time and found out how to flash back to .69 I will try it out. Is there a way to donate to you for your work?
Nevertheless if I understood it right, this persists only until a reboot so if I root it and then update back to .402 it will be gone, so there is no way to have root on .402 with locked bootloader?
Click to expand...
Click to collapse
I guess you can donate if you want I didn't put much time in to this and I didn't discover the Android exploit. Most my projects (like Dingleberry for rooting) have a full UI and everything. I have a donate link on my blog: http://www.qtness.com/blog/
That's correct. if you upgrade to 402, you will not be able to do it. It's a tethered root but being able to backup TA means you can unlock bootloader and lock it again with everything preserved.

xsacha said:
I guess you can donate if you want I didn't put much time in to this and I didn't discover the Android exploit. Most my projects (like Dingleberry for rooting) have a full UI and everything. I have a donate link on my blog: http://www.qtness.com/blog/
That's correct. if you upgrade to 402, you will not be able to do it. It's a tethered root but being able to backup TA means you can unlock bootloader and lock it again with everything preserved.
Click to expand...
Click to collapse
Yeah I will support your good work!
So that means I can flash 69 using flash tool and backup ta using your script, then i can flash 402, unlock bootloader, flash cwm and root? But how should I continue then? How can I relock bootloader and restore ta? And are you sure that root and cwm isn't lost during this process? Is there really no way to find out if bootloader was unlocked after doing this (for warranty reasons)? Has somebody successfully tried out this procedure?
Oh and an other problem, I can't find a 69 ftf anywhere for the Wifi only model sgp511?
BTW I have just donated to you

fleckdalm said:
Yeah I will support your good work!
So that means I can flash 69 using flash tool and backup ta using your script, then i can flash 402, unlock bootloader, flash cwm and root? But how should I continue then? How can I relock bootloader and restore ta? And are you sure that root and cwm isn't lost during this process? Is there really no way to find out if bootloader was unlocked after doing this (for warranty reasons)? Has somebody successfully tried out this procedure?
Oh and an other problem, I can't find a 69 ftf anywhere for the Wifi only model sgp511?
BTW I have just donated to you
Click to expand...
Click to collapse
For the bootloader locking questions, I'm not the best to ask. I am asking about warranty myself on another thread. This is my first sony device so not sure how they operate.
Don't know. I use sgp521.
Technically anything before firmware .402 should work.

Success!
xsacha, GREAT work!
Successfuly unlocked my bootloader and restored DRM keys! Thanks a lot! really appreciate your work:good:
And about the warranty: if you lock the bootloader before bringing the device to the service center the won't be able to find any traces of bootloader unlock! So with your help we don't need to void our warranty.

nos1609 said:
xsacha, GREAT work!
Successfuly unlocked my bootloader and restored DRM keys! Thanks a lot! really appreciate your work:good:
Click to expand...
Click to collapse
So you have done it like this?
flash 69 using flash tool and backup ta using the script, then flash 402, unlock bootloader, flash cwm and root.
But how should I continue then? How can I relock bootloader and restore ta?

fleckdalm said:
But how should I continue then? How can I relock bootloader and restore ta?
Click to expand...
Click to collapse
Just put the backup on your INTERNAL sdcard and then from adb under su type: "dd if=/sdcard/TA.img of=/dev/block/platform/msm_sdcc.1/by-name/TA"

nos1609 said:
Just put the backup on your INTERNAL sdcard and then from adb under su type: "dd if=/sdcard/TA.img of=/dev/block/platform/msm_sdcc.1/by-name/TA"
Click to expand...
Click to collapse
Thanks! I will try it out as soon as I get a 69 ftf for my model...

Root ANY LG G4 Variant 100% Success Directives | Root Injection | Less Bricks

Hi everyone. As I found out there's root for the G4 but doing this isn't easy especially if your variant is hard to find or has less users. This may result in you waiting for longer than you should. This thread is for those who can take things into their own hands and do it themselves. The tools are available everywhere but I'll give you the best order and steps. I'm using the China LG G4 H818 Dual SIM variant but this method is UNIVERSAL FOR ALL LG G4s.
The process will involve extracting a system image, injecting root and reflashing this image. Most of the steps are effortless and need just copy and paste with keen eyes. Do it slowly. You need an Ubuntu installation for step 2 of this 3-step tutorial. I used universal USB installer and put in on my 8GB USB. Anywhere will do so far as it boots&works. Beware this thread is not dumb-proof but this will not wipe your data or void your warranty if done successfully.
Step 1 -> Getting the proper system image.
Check here and skip to step 3 if you have your rootedsystem.img
>Don't worry because this doesn't require searching. It is from your device. Every device has a system partition and this method will pull it out as an image without root required.
1--Make sure all drivers are installed properly. I'll not be talking about this. We're on XDA not kindergarten.
2--Download the LG_root file or send command file from here and extract it. US Carrier specific check here
3--Put your device in download mode and connect it to your PC.
4--Open(double-click duh) port.bat and make sure to write down the number after com. There maybe different com numbers but choose the com on the DIAG1 line and write down that number. This is important.
5--Hold shift and right-click in any empty space in the extracted folder. Choose open command windows here.
6-- In that copy and paste this
Code:
[FONT=Lucida Console][COLOR=#ff8c00]Send_Command.exe \\.\COM[/COLOR][COLOR=#00ff00][*insert your number here][/COLOR][/FONT]
7--Now you're in send command mode. Nothing looks different on your phone but that's ok. It should just remain in download mode.
8-- On the computer screen in the window you now see #.
9--Now in this post copy the Backup system to internal storage command specific to your device model number. Check in you settings >general >about if in doubt. This is the most important step. Copy the whole line of code. Highlight with your mouse, select everything on the line and copy.
10--You didn't come all this way to fail so do it. Remember it is device model specific.
11-- Paste it in the command window and hit enter. It should take a while so wait until you see#reappear.
12--Now typeLEAVEall in capital letters. Your device will reboot. Check using the file manager if you have a file called system.img in your internal storage. If yes step 2 is next and you did well. If no repeat it and follow the steps properly. Make sure drivers are installed especially windows 10/8/8.1 users. Check device manager
Step 2 -> Root injection.
1--Prepare your Ubuntu USB or virtual machine or computer.
2--Download inject_root zip from here and extract.
3--Copy the system.img from your phone to the extracted inject_root folder on your PC.
4-Reboot into Ubuntu.
5--Here open a terminal.
6--Gain root access on Ubuntu by typing or copy and paste sudo -i
7--You should either be asked for your password which you have to enter or if you used a USB drive like me you'll see the name change to[email protected]
8--Navigate to the inject_root folder by using cd commands. This can also be done by typing cd then [space] then dragging and dropping the folder into the terminal and hitting enter.
9--You'll now see the name in the terminal become longer with the name of the folder in it.
10--Now type chmod +x autoroot.sh
11--Hit enter then sudo ./autoroot.sh
12--If you get any thing like command not recognized or something of the sort use sudo sh autoroot.sh
-That worked for me.
13--If you're successful the name of the file should change from system.img torootedsystem.img
-Please note don't rename the files. Leave them as they are.
14--Now go back to Windows let's finish this.
Step 3 ->Root
1--Transfer the rootedsytem.img to your phones internal storage.
2--Put your phone in download mode and connect it to your PC.
3--Get into send command mode as in step one.
-Put your device in download mode and connect it to your PC.
-Open port.bat and make sure to write down the number after com. There maybe different com numbers but choose the one that has DIAG1 on the same line as it. Note it down this is important.
-Hold shift and right click in any empty space in the extracted folder. Choose open command windows here.
- In that copy and paste this
Send_Command.exe \\.\COM[*insert your number here]
-Now you're in send command mode. Nothing looks different on your phone but it's find. It should just remain in download mode.
4-Now grab your command to flash system.img line of code from this post. It isn't the same as step one. Copy that an paste in the command window. Make sure it is for your device. They are model specific.
5--This should take a while so wait until you see the # again.
6--After thatLEAVEand upon reboot you should have root.
To Un-root just flash a KDZ file compatible with your device here.
Testimonies
Spudnubs said:
Rooted H812 10g for my fellow Canadians. Enjoy!
https://www.androidfilehost.com/?fid=24052804347821979
Click to expand...
Click to collapse
Wildsheep said:
This root method works for my G4 purchased in Singapore (H815 SEA)
Click to expand...
Click to collapse
luongquang said:
Thanks to @hackarchive, H818p10f done with tut.
Click to expand...
Click to collapse
player911 said:
Fantastic. This method will also ease devs for future rooted firmwares. I really cannot see LG being able to patch this, since this is basically a 3rd party LG Flashing tool. If they block this method, then their own tool will ultimately die with it.
Click to expand...
Click to collapse
GavTheStoner said:
Fantastic! I had almost given up hope of root on my EE LG G4. Have just used this method and now rooted perfectly!
hackarchive You rock! Have a thanks!
Click to expand...
Click to collapse
articular said:
everything worked fine and i successfully got my g4 rooted
my variant is H815TR
all steps easy only the ubuntu part was a bit hard especially for a windows user ( finding an ubuntu version and usb install etc. not root injection part)
ty ty ty again )
Click to expand...
Click to collapse
rirozizo said:
if it were for me to decide if we should delete the low effort root method, i'd totally delete it.
"The more 'manual', the better"
Click to expand...
Click to collapse
Moe5508 said:
Only method that roots my device successfully...I updated to 10e of the H815P and using this method (and only this!0 I was able to root my phone...ah felt so good...
The other 1-click rooting methods I came across in other parts of this forum just fail on the G4...
Click to expand...
Click to collapse
Marshmallow and root situation read here
Hit thanks if you appreciate. Hope I helped.
Credits to them whom without this won't be possible :good:
Thecubed
Team Codefire
ManhIT

This is a good method, thanks for writing this up.
I would like to add a few points....
I recommend you do keep your original system.img on your phones regular internal storage. If you encounter any boot issues you can then re-enter download mode and write the original system.img over the top of the failed root attempt. Use the same command from "step 3: root" but replace rootedsystem.img with system.img. This should still be on your phone from step 1 and will recover your phone from a failed root injection attempt. Note that it will not recover your phone if you messed up the dd command and overwrote other partitons. Be sure to use the right dd command and cut n paste to prevent seek/offset typeos.
I also recommend that you keep a backup of your system.img on your pc. When you run autoroot.sh in step 2 the copy on your pc will be renamed and patched. I suggest copying system.img somewhere else first, or re-copy it off your phone.
Additional credits to blog.lvu.kr. This is the blog of the hobbyist who reverse engineered the download mode protocol, created send_command.exe and gave it to the world. Kudos to you.

How is this any easier than the original method....if anything this requires even more work

kyle1867 said:
How is this any easier than the original method....if anything this requires even more work
Click to expand...
Click to collapse
It's for those who have rare variants.

psycho_asylum said:
It's for those who have rare variants.
Click to expand...
Click to collapse
Then you should probably take out the claim that this method is easier from the OP

Can this be used to inject Xposed as well for those of us with locked BLs.

djkinetic said:
Can this be used to inject Xposed as well for those of us with locked BLs.
Click to expand...
Click to collapse
No, we need to wait for a custom recovery.

psycho_asylum said:
No, we need to wait for a custom recovery.
Click to expand...
Click to collapse
Just used flash fire it worked rocking xposed now on 810!

djkinetic said:
Just used flash fire it worked rocking xposed now on 810!
Click to expand...
Click to collapse
Oh nice! I wasn't adventurous enough to try it. I'll make a system backup and give it a whirl!

Very nice thread, thank you. The steps were short, few, and fairly concise.
I was waiting for something like this where I could modify my own image and I wouldn't have to wipe everything or replace it with a new image.
One thing you might want to mention is that if your phone is encrypted, you'll need to unencrypt it first.
Can anyone link me to some instructions on how to disable OTA updates for an unlocked/international H815T?

kyle1867 said:
How is this any easier than the original method....if anything this requires even more work
Click to expand...
Click to collapse
This is what XDA is all about. It tells you how to inject root into your OWN system image. it's the opposite of spoon feeding. it's about teaching members how to do things for themselves. Too many people come here expecting to be spoon fed and have thigns done for them. This thread teaches people how to do their own work, while learning something at the same time.
Good work OP! :good:

the_scotsman said:
This is what XDA is all about. It tells you how to inject root into your OWN system image. it's the opposite of spoon feeding. it's about teaching members how to do things for themselves. Too many people come here expecting to be spoon fed and have thigns done for them. This thread teaches people how to do their own work, while learning something at the same time.
Good work OP! :good:
Click to expand...
Click to collapse
Thanks. I guess people don't know what XDA is about. Seeing noobs and others trying to spit on hard work when I used my time and device as Guinea pig. Also people don't know this is almost brick-proof because the system image if from their devices. Unless they use wrong commands but all here is just copy and paste. They see lot's of text and get cold feet. Anyways will be updating the OP with system images. If yours is available please share. If you see your image available and you have drivers and LG_root downloaded proceed to step 3.

The only downside is that I have to drag out my windows laptop instead of doing everything on the ubuntu machine I use at work.
But if that's the biggest of my problems then I don't really have a problem

hi, thx for this tutorial, looks good
when flashing back the rooted img,does it wipe everything ? apps, data ... etc
thx
EDIT: just correct me if im wrong
using this method WILL NOT wipe everything on my device cause im rooting my system with everything on it
correct ???
must make sure before i go ahead
thx

How to calculator extractly bs/seek/count ?

Is there a possibility of any personal data being written to /system on a phone during normal use? I can provide 10c Optus AU (carrier 505-02) if I can be sure its not identifying, but ive been using the phone a couple of weeks.
Download link:
https://www.androidfilehost.com/?fid=24052804347799013

optiplex2012 said:
using this method WILL NOT wipe everything on my device cause im rooting my system with everything on it
correct ???
Click to expand...
Click to collapse
correct.
---------- Post added at 06:01 PM ---------- Previous post was at 05:29 PM ----------
djkinetic said:
Can this be used to inject Xposed as well for those of us with locked BLs.
Click to expand...
Click to collapse
HTCuser90 said:
How to calculator extractly bs/seek/count ?
Click to expand...
Click to collapse
I would also like to know this. You can resolve system by running the following. Note that this is for the H815T and is not the same on all variants.
# ls -lZ /dev/block/bootdevice/by-name/system
You'll get something like:
lrwxrwxrwx root root ubject_r:block_device:s0 system -> /dev/block/mmcblk0p47
Which tells you the actual block device (partition its on).
And you can see the size of that with:
# cat /proc/partitions
where you see:
major minor #blocks name
<snip>
259 15 4239360 mmcblk0p47
<snip>
However I dont know how to identify how large a block is or how to calculate the start offset in the main partition.

ok, it worked great
wasnt easy, since im not so familiar with using ubuntu, but all is ok
the explanation of the how to... was great and nothing lost
my H815L is now rooted
thx guys

djkinetic said:
Just used flash fire it worked rocking xposed now on 810!
Click to expand...
Click to collapse
I know it's kind of going off topic, but I figured I'd mention that Flash Fire doesn't work on VS986. It just goes to a black screen and sits there forever. I left it sit for almost an hour. I saw elsewhere it has something to do with automount, I'll have to mess with it further.

hackarchive said:
Hit thanks if you appreciate. I spent hours trying to root so hope I helped.
Click to expand...
Click to collapse
Appreciated but you should include a way to unroot (undo) as well, ie how do we get back to stock (if required) ?